DEV Community: fractalbit

Tips for working with private files in laravel

fractalbit — Sat, 06 Mar 2021 11:46:55 +0000

Let's start by saying this is not a full guide about working with files in laravel. It will not cover how to upload files for example or provide a full working example that you can test-drive yourself. But I will highlight some things I learned working with non-public files as my journey to learn laravel continues. I encourage you to chime in the comments if you have any suggestions/improvements.

When building applications that users and authentication/authorization is involved you should not store files that belong to users in the public folder. That would mean anyone with the url could download the file and you definetely don't want this. One thought might be to have non-standard filenames stored in the database. For example you could append a long and random string of characters at the end of the filename.

$filename = 'report_' . \Str::random(20) . '.pdf';

That way, you cannot easily guess the filename and by default you cannot browse the public folder for a list of available files. But this is not a bulletproof solution. If the filename leaks, one way or another, anyone could download the file without even logging in. In some cases you may actually want this, but in our case lets say we only want the owner to be able to download the file. So what can we do?

First, we should store the file in a folder like storage\app\userfiles and not in storage\app\public. The files there are secure, but how do you provide a link to the user to download the file if they are not accessible?

    <!-- Some view.blade.php file -->

    <!-- url and asset helpers will result in a 404, file not found error -->
    <a href="{{ url('app/userfiles/report1253.pdf') }}">Download</a>
    <!-- Because the file is simply not accessible outside our app code while not in the public folder -->

What we can do, is create a route that points to a Controller method and that method is responsible to do all the authentication/authorization needed before returning a download response, so the owner can get the file. Let's see an example...

    // In web.php
    Route::get('/file/download/{file}', [FileAccessController::class, 'download']);


    // In FileAccessController.php
    public function download(FileModel $file)
    {
        // We should do our authentication/authorization checks here
        // We assume you have a FileModel with a defined belongs to User relationship.
        if(Auth::user() && Auth::id() === $file->user->id) {
            // filename should be a relative path inside storage/app to your file like 'userfiles/report1253.pdf'
            return Storage::download($file->filename);
        }else{
            return abort('403');
        }
    }

    <!-- In a blade view -->
    <a href="/file/download/1253">Download</a>

If the file is, for example, a private image and we want to display it (instead of downloading) only to the user it belongs, we could return a file response instead.

    // In web.php
    Route::get('/file/serve/{file}', [FileAccessController::class, 'serve']);

    // In FileAccessController.php
    public function serve(FileModel $file)
    {
        if(Auth::user() && Auth::id() === $file->user->id) {
            // Here we don't use the Storage facade that assumes the storage/app folder
            // So filename should be a relative path inside storage to your file like 'app/userfiles/report1253.pdf'
            $filepath = storage_path($file->filename);
            return response()->file($filepath);
        }else{
            return abort('404');
        }
    }

    <!-- In a blade view -->
    <img src="/file/serve/1253">

The above techniques are also useful when working with files through ajax requests. Let's say we generate a large pdf file that takes 10 seconds to create. We want to show the user a loader and after the file is created, hide the loader and prompt the user to download the file. I found some solutions on how to accept a blob response in javascript/jquery but i didn't like it much. It felt too "hacky". So instead, we could just return an id of the file, that could be used to redirect the user to the correct route after the file is created...

    // Jquery example, sorry! :P

    function ajaxExport(){ // ex. invoked from a button click
        $('#loader').show();

        $.get('/generate-time-consuming-pdf', function( fileId ) {
            $('#loader').hide();
            if(fileId) window.location = '/file/download/' + fileId;
        });
    }

That's it for now. I hope you found the article useful and i would love to hear your feedback.

If you like this article, you may also like my tweets. Have a look at my Twitter profile.

Tips for working with private files in laravel

fractalbit — Sat, 06 Mar 2021 01:32:13 +0000

Let's start by saying this is not a full guide about working with files in laravel. It will not cover how to upload files for example or provide a full working example that you can test-drive yourself. But I will highlight some things I learned working with files while building applications as my journey to learn laravel continues. I encourage you to chime in the comments if you have any suggestions/improvements.

When building applications that users and authentication/authorization is involved you cannot store files that belong to users in the public folder. That would mean anyone with the url could download the file and you definetely don't want this. One thought might be to have non-standard filenames stored in the database, for example you could append a long and random string of characters at the end of the filename.

$filename = 'report_' . \Str::random(20) . '.pdf';

That way, you cannot easily guess the filename and by default you cannot browse the public folder for a list of available files. But this is not a bulletproof solution. If the filename leaks, one way or another, anyone could download the file without even logging in. In some cases you may actually want this (authorize via link sharing). But in our case lets say we only want the owner to be able to download the file. So what can you do?

First, you should store the file in a folder like storage\app\userfiles and not in storage\app\public. The files there are secure, but how do you provide a link to the user to download the file if they are not accessible?

    <!-- Some view.blade.php file -->

    <!-- url and asset helpers will result in a 404, file not found error -->
    <a href="{{ url('app/userfiles/report1253.pdf') }}">Download</a>
    <!-- Because the file is simply not accessible outside our app code while not in the public folder -->

What you can do, is create a route that points to a Controller method and that method is responsible to do all the authentication/authorization needed before returning a download response so the owner can get the file. Let's see an example...

    // In web.php
    Route::get('/file/download/{file}', [FileAccessController::class, 'download']);


    // In FileAccessController.php
    public function download(FileModel $file)
    {
        // You should do your authentication/authorization checks here
        // We assume you have a FileModel with a defined belongs to User relationship.
        if(Auth::user() && Auth::id() === $file->user->id) {
            $filepath = storage_path($file->filename);
            // filename should be a relative path to your file like 'app/userfiles/report1253.pdf'
            return response()->download($filepath);
        }else{
            return abort('403');
        }
    }

    <!-- In a blade view -->
    <a href="/file/download/1253">Download</a>

If the file is ex. a private image and you want to display it (instead of downloading) only to the user it belongs, you could return a file response instead.

    // In web.php
    Route::get('/file/serve/{file}', [FileAccessController::class, 'serve']);

    // In FileAccessController.php
    public function serve(FileModel $file)
    {
        if(Auth::user() && Auth::id() === $file->user->id) {
            $filepath = storage_path($file->filename);
            return response()->file($filepath);
        }else{
            return abort('404');
        }
    }

    <!-- In a blade view -->
    <img src="{{ route('/file/serve/' . $fileId) }}">

The above techniques are also useful when working with files through ajax requests. Let's say you create a large pdf file that takes 10 seconds to create. You would want to show the user a loader and after the file is created, hide the loader and prompt him to download the file. I found some solutions on how to accept a blob response in javascript/jquery but i didn't like it much. It felt too "hacky". So instead, you could just return an id of the file, that could be used to redirect the user to the correct route after the file is created...

    // Jquery example, sorry! :P

    function ajaxExport(){ // ex. invoked from a button click
        event.preventDefault();

        $('#loader').show();

        $.get('/generate-time-consuming-pdf', function( fileId ) {
            $('#loader').hide();
            if(fileId) window.location = '/file/download/' + fileId;
        });
    }

That's it for now. I hope you found the article useful and i would love to hear your feedback.

How to create a custom Policy and enforce it in a BREAD (Voyager)

fractalbit — Sat, 18 Jul 2020 13:50:40 +0000

Let's say we want to limit access to a BREAD based on who created it. More specifically users should be able to create new records but only edit/delete and browse their own. Admins should have full control to all the records regardless of who created it.

Along the way, you will learn:

How to Create a custom Policy and enforce it to a particular BREAD
How to override the save method of a Model
How to scope results
How to override Voyager's Views

I assume you have basic familiarity with the Voyager admin (ex. how to create a BREAD for a db table) and with basic concepts of OOP PHP and laravel.

So let's get started. For our example, let's say we have a Workstation Model to store data for their specs and each company (identified with a user account) should be able to add/edit/view only their own workstations. We have also created the respective BREAD for our table from the voyager admin.

First we need to add an owner_id field to our table and exclude it from the BREAD (uncheck all or at least Edit, Add and Delete). The field should be populated automatically when creating a new record, so the users should not be able change it. To do this we will override the save method of our Model.

Override the save method of our Model

Open Workstation.php and add the following method

public function save(array $options = [])
{
    // If no owner has been assigned,
    // assign the current user's id as the owner of the workstation
    if (!$this->owner_id && Auth::user()) {
        $this->owner_id = Auth::user()->getKey();
    }

    return parent::save();
}

Now everytime a workstation is saved or updated, we will first check if the owner_id is null. If it is, it will be populated with the id of the current logged in user. If it already has a value, it will not be changed. That means that the owner_id is only saved once, when we create a record, and will not be changed if another user (ex. admin) updates the record (if this happened the original owner would loose access to his record).

Important update

Since publishing the article, I posted the link to Voyager's slack channel looking for suggestions. As it turns out, there is a much simpler and cleaner way to achieve what we want without using a Policy and overriding the browse View. The only thing needed is to create a new Scope for our Model and use it in the respective BREAD. Let's see how:

Create a Model Scope to limit access

Since we want the users to not see the other records at all we can easily do so by creating a Scope for our Model. To create a new Scope we edit our Model (ex. Workstation.php) and add a scopeScopeName method. This method filters the query based on the conditions we want. The end result should look like this:

<?php

namespace App;

use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Facades\Auth;

class Workstation extends Model
{
    public function scopeCurrentUser($query)
    {
        return Auth::user()->hasRole('admin') ? $query : $query->where('owner_id', Auth::user()->id);
    }

    public function save(array $options = [])
    {
        // If no owner has been assigned, assign the current user's id as the owner of the workstation
        if (!$this->owner_id && Auth::user()) {
            $this->owner_id = Auth::user()->getKey();
        }

        return parent::save();
    }
}

Then we edit the respective BREAD and in the "Scope" dropdown field we select "currentUser". We save the BREAD and we are done!

Now users will only see their own records and admins all the records. If a user tries to "hack" and visit an edit or view link for a record he doesn't own (ex. "admin/workstations/2/edit") he will be greeted with a "404 - Not found" page.

Create a new Policy

Important: This is not strictly needed if we are using a Scope (see important update). But in case you want to learn how to use a custom Policy i will leave it in the article (it is in the article's title after all). You may also want to add another layer of security.

To create a new Policy run the following in the terminal.

php artisan make:policy WorkstationPolicy

This will create a WorkstationPolicy.php file in app\Policies that we need to edit. After the modifications the Policy should look like this:

<?php

namespace App\Policies;

use TCG\Voyager\Contracts\User;
use App\Workstation;
use Illuminate\Auth\Access\HandlesAuthorization;
use TCG\Voyager\Policies\BasePolicy;

class WorkstationPolicy extends BasePolicy
{
    use HandlesAuthorization;

    /**
     * Create a new policy instance.
     *
     * @return void
     */
    public function __construct()
    {
        //
    }

    // We can override all the BREAD (browse, read, edit, add and delete) actions here if we need to

    public function edit(User $user, $pc)
    {
        return $pc->owner_id === $user->id || $user->hasRole('admin');
    }

    public function delete(User $user, $pc)
    {
        return $pc->owner_id === $user->id || $user->hasRole('admin');
    }

    public function read(User $user, $pc)
    {
        return $pc->owner_id === $user->id || $user->hasRole('admin');
    }
}

It is important that the new Policy extends the BasePolicy from TCG\Voyager\Policies\BasePolicy. Otherwise we will have to define every policy action from scratch. By extending the BasePolicy we can override only the actions we want.

Each action we override accepts two parameters, the current logged in user and an instance of the Model we want the policy to be enforced (in this case the Workstation model, that we named pc for short). We should do the checks we want and then return true or false (allow the action or not).

For our requirements, if the owner_id from the Model matches the id of the logged-in user OR if the user is an admin we will return true (otherwise, if none of the conditions are met, false is returned).

Now we should go to the BREAD of our Model and in the "Policy Name" field enter our new policy: "App\Policies\WorkstationPolicy" (don't forget to save the BREAD). With this in place, if you login to your voyager admin with another, non-admin user, and browse the workstations, you will not see the edit or delete buttons for the records they have not themselves created.

Override the browse View for our Model

Important: This is not needed if we are using a Scope. See important update. If you override the browse View you should definetely enforce the Policy above to block users directly visiting edit or view URLs.

To limit browsing records override the browse view and before "@foreach ($dataTypeContent as $data)" add the following code:

@php
    if(!Auth::user()->hasRole('admin')) $dataTypeContent = $dataTypeContent->where('owner_id','=', Auth::user()->id)
@endphp

@foreach($dataTypeContent as $data)

The recommended way is to use the Scope method above. I am leaving the alternative method because you may find useful how to override a Voyager View for something else.

How to override a Voyager View

Overriding views is very easy. First we copy the view we want (ex. browse.blade.php) from "\vendor\tcg\voyager\resources\views\bread". Then we create the following folder structure "\resources\views\vendor\voyager\workstations" and paste the view there. Now we can do any modification we need for this BREAD's view and voyager will first look if our version exists before using it's own. You should be careful so that the last folder name matches your Model's name with lowercase letters and in plural form (or the "URL Slug" you have entered for that BREAD).

Finally you may also want to check the article Using Policies in Laravel Voyager, it was of great help for me.

Do you have something to add? Maybe a better way to accomplish the above? Maybe you spotted a mistake? Please tell me in the comments, thank you!

Change the height of the rich textbox (tinymce) in laravel voyager

fractalbit — Sun, 12 Jul 2020 14:56:53 +0000

Sometimes, things that seem pretty simple at first glance can be very hard to accomplish. That's what happened when i decided that i didn't like the rich textbox's height in laravel Voyager. It took up almost the whole screen. I had to change it, it should be pretty easy i thought...

But 2-3 hours later, i was still searching the web for a solution and trying various things without much success.

I will not bother you with all the things that i tried, i don't really remember them anyway! This is just a quick tip, that hopefully will save you some searching and fiddling around. As you will see, it is very easy once you have figured it out.

Step 1. Open config/voyager.php, find 'additional_js', uncomment the 'js/custom.js' line as shown below, and save the file.

'additional_js' => [
        'js/custom.js',
    ],

Step 2. Create the custom.js file in the public/js folder and paste in the following code.

function tinymce_setup_callback(editor) {
  tinymce.init({
    menubar: false,
    selector: "textarea.richTextBox",
    skin_url:
      $('meta[name="assets-path"]').attr("content") + "?path=js/skins/voyager",
    min_height: 100,
    height: 200,
    resize: "vertical",
    plugins: "link, image, code, table, textcolor, lists",
    extended_valid_elements:
      "input[id|name|value|type|class|style|required|placeholder|autocomplete|onclick]",
    file_browser_callback: function (field_name, url, type, win) {
      if (type == "image") {
        $("#upload_file").trigger("click")
      }
    },
    toolbar:
      "styleselect bold italic underline | forecolor backcolor | alignleft aligncenter alignright | bullist numlist outdent indent | link image table | code",
    convert_urls: false,
    image_caption: true,
    image_title: true,
  })
}

Now change min_height and height values to suit your needs (values are in pixels). Save the file and move to step 3.

There is no step 3. Enjoy! :)

Of course, since you now have the whole tinymce initial config in your custom.js file, feel free to customize even more things about it. You may need to refer to the tinymce docs.

Deploy a laravel 7 app to shared hosting

fractalbit — Sun, 12 Jul 2020 12:08:16 +0000

I know there are much better ways to deploy a laravel application. For example laravel forge and envoyer. But if you are like me, just trying things out, you may not want to invest to these paid alternatives with monthly subscriptions. This was something that bugged me for years. I hesitated to learn laravel because it seemed that it needed special and costly tools to work with it. I am glad i finally decided to give laravel a try though, it's awesome! The good news are that you can deploy a modern laravel 7 app to your shared hosting account using just FTP, it just requires some added effort on our part.

The example steps below has been tested with a laravel 7 app using voyager and installing it in a subfolder of my shared hosting account (which is using plesk). It should apply to any laravel 7 app though and should work with any hosting provider as long as it meets the laravel requirements (ex. supported php version). Just be careful to change the paths to fit your application and folder-structure on your server. I assume that you know how to connect with FTP (ex. with filezilla) to your account, create folders, upload files etc. I also assume you know how to export and import a database from phpmyadmin.

So let's see the steps required...

Create a new folder ex. "deploy", outside your project directory (otherwise be sure to add it to the .gitignore file). All the files we edit should be saved there, so we will not break our local setup :)
Edit the .env file with the correct settings for your server (APP_URL and the DB_settingName settings) and save it to the deploy folder.
Upload all folders except public on a folder above "public_html" or "httpdocs" to another folder ex. "myapp-core"

This is absolutely necessary for security reasons. The .env file that holds database passwords and other important configuration data is a plain text file so it should be in a folder not accessible to the puclic.
Upload the contents of the public folder to "public_html/myapp" (cpanel hosting) or "httpdocs/myapp" (plesk hosting).
Change the paths of the index.php file to correctly point to "myapp-core". For example:
```
require __DIR__ . '/../../myapp-core/vendor/autoload.php';

$app = require_once __DIR__ . '/../../myapp-core/bootstrap/app.php';
```
and save the file to the deploy folder. Since we are deploying the app to the myapp subfolder inside the public folder, we need to go up two times (../../) to find the myapp-core directory. If you are deploying without a subfolder you only need "../" once.

In the /App/Providers/AppServiceProvider.php file, modify the register() method.

public function register()
{
    // Let laravel know the public path of your application
    $this->app->bind('path.public', function () {
        return base_path('../httpdocs');
        // Change httpdocs to public_html if you are using cpanel
    });
}

and save the file to the deploy folder.

Upload the files you edited from the deploy folder to their respective folders on the server, overwriting the old files. for example AppServiceProvider.php should go to myapp-core/App/Providers/ folder.
Almost there. We need to create a symbolic link for the storage directory (which is outsite our public folder) to point to the public directory. To do this, create a new php file and paste the following code:
```
<?php

$targetFolder = $_SERVER['DOCUMENT_ROOT'] . '/../myapp-core/storage/app/public';
$linkFolder = $_SERVER['DOCUMENT_ROOT'] . '/myapp/storage';
symlink($targetFolder, $linkFolder) or die("error creating symlink");
echo 'Symlink process successfully completed';
```
Change the paths to match yours, save it as create-symlink.php, upload it to the public/myapp folder and visit http://yourdomain/myapp/create-symlink.php to run it. If you see the success message, delete the file from the server and move to the final step.
Transfer the database from your local phpmyadmin to your server. If you encounter errors while importing, for example "Specified key was too long; max key length is 767 bytes", try to export and import in mysql4 compatibility mode (click advanced and choose the appropriate option).

Cross your fingers and visit your site, your new laravel app should be up and running! Give it a try and see if everything is working correctly. If you want something to add in the above process write in the comments.

If you want a video overview of the proccess check out this guide from Brad Traversy (excellent programming tutorials).

If you want to get started with laravel locally and you are using windows i highly recommend laragon. Have fun!